2018 was a tough year for data privacy – probably the toughest in the last decade. On 25 May 2018, the European Data Protection Regulation came into force, changing the way of handling personal data in Europe. So what can we expect from 2019 from the GDPR and the authorities which enforce the regulation?
The GDPR in 2018
Before and after May 2018, companies did a lot to implement data protection measures and processes which are compliant with the requirements of the GDPR. Some (mostly the bigger corporate groups) started long before the final date of 25 May and can now proudly say that they are fully compliant, some others (mostly the smaller and medium-sized companies) needed a bit more time and were sometimes struggling to implement all accountability and documentation requirements the GDPR stipulates. However, in general, it seems as if almost every company has at least done some general implementation of the GDPR-requirements and has some kind of a “Data protection management system” in place.
The role of the authorities
The data protection authorities in Europe had (and still have) a lot to do in order to work on all matters related to the GDPR. It is not only necessary to give guidance on certain GDPR-related matters (such as cookies, Facebook Fanpage etc etc), but they also receive many data breach notifications as well as consent and privacy-related complaints. Over the summer, the United Kingdom’s Information Commissioner’s Office reported a 160% uptick in data breach complaints from the year before. Whistleblower reports on company data breaches in the United Kingdom have almost tripled, ad exchanger reports.
thenextweb reports that there have also been a number of high profile complaints lodged with data protections agencies in Europe. For example, noyb, a group of privacy activists, filed complaints against Google, Facebook, Instagram, and WhatsApp over “forced consent” because the GDPR prohibits such forced consent and any form of bundling a service with the requirement to consent (see Article 7(4) GDPR).
Sanctions and fines?
But all those new requirements of the GDPR did not lead to a lot more (and higher) sanctions and fines. It feels as if the authorities have been quite “soft” in this regard.
“For a reform of this scope and magnitude, it’s only expected that several months will pass before enforcement comes into focus. 2018 wasn’t even a full year for GDPR”,
said Omer Tene, VP and chief knowledge officer at the International Association of Privacy Professionals, according to ad exchanger.
Will everything change in 2019?
The data protection authorities are prepared for the new year and new challenges.
DPAs in Europe have been icreased their staff’s numbers and expertise. The Irish Data Protection Commission (DPC) has, for example, grown from less than 30 employees back in 2014 to 130 staff members in 2018, with plans for further expansion of staff and expertise in 2019, thenextweb reports.
In 2019, a lot of standards will be scrutinized and issues like privacy by design will be on top of the list of the authorities.
“I expect individuals’ consent and the propagation of data protection requirements along the digital supply chain will be areas of intense scrutiny,”
However, data protection authorities will – and already did – make a distinction between those companies which have at least tried to comply with the GDPR requirements and those which are just not willing to make any effort.
“It’s one thing telling a regulator and the public, ‘We did our best, but still suffered a breach,’ and it’s quite another to say, ‘Sorry, we just weren’t prepared yet.’ It’s in those latter cases that we can expect to see the large 4% of annual global revenue fines”,